1. Home
  2. ATT&CK Techniques
  3. T1525 Implant Internal Image

T1525 Implant Internal Image Mappings

Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)

A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1525 Implant Internal Image
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1525 Implant Internal Image
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1525 Implant Internal Image
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1525 Implant Internal Image
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1525 Implant Internal Image
action.malware.variety.Unknown Unknown related-to T1525 Implant Internal Image
aws_config AWS Config technique_scores T1525 Implant Internal Image
Comments
The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: "approved-amis-by-id" and "approved-amis-by-tag", both of which are run on configuration changes. This does not provide detection of the image implanting itself, but does provide detection for any subsequent use of images that are implanted and not present within the allow list, resulting in a score of Minimal.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html